Lessons from Sony: Cyber Attack

Sony Pictures recently became the target of a sophisticated and debilitating digital attack.  The first signs of the hack appeared in late November, when an image of a skull flashed on every employee’s computer screen accompanied by a threatening message that the company’s internal data had been compromised.  The company initially experienced a shutdown of many of its computers.  In the following days, the hackers began to leak private company data.  Five Sony films, including four unreleased projects were leaked online, along with compensation information for the top seventeen Sony executives and social security information for more than 6,000 current and former employees.  In addition, countless confidential email exchanges were exposed to the public.  One month on, Sony continues to suffer fallout from the attack, including the suspension of several film projects due to the inability to process payments, and a decision earlier this week to cancel the release of the upcoming comedy The Interview.

Sony’s experience is one in a string of high-profile cyber security breaches.  Given the pervasive threat of cybercrime, consumers, clients, and investors alike have come to expect that companies will take proactive measures to protect their private data.  When companies fall short, litigation is likely to follow.  Take, for instance, the recent federal lawsuit filed by the Federal Trade Commission against a national hotel chain alleging that the company’s supposedly weak security measures failed to protect consumer’s payment data.  According to the FTC, the failure to provide adequate cyber security constituted an unfair business practice under Section 5 of the Federal Trade Commission Act.  Section 5 prohibits “unfair or deceptive acts or practices affecting commerce.”  An act or practice is unfair when it causes or is likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers, and is not outweighed by countervailing benefits to consumers or to competition.  The district court denied the hotel chain’s motion to dismiss, ruling that the FTC may proceed with lawsuits against companies for allegedly lax data-security policies.  The decision is now being appealed to the Third Circuit.

Technology is transforming the professional practice.  While digital advances allow companies to operate more efficiently through mobile and cloud computing, and enable companies to reach new clients, firms must remain cognizant of the potential threat of cybercrime and enact safeguards to minimize the damage.  Initially, firms must assess the potential threats and vulnerabilities of their particular organization, such as loss of data, deletion or modification of information, the use of unsecured computers or devices, or the handling of high-profile matters.  Once a firm understands the risk, it can being to mitigate the threat.  For starters, firms should require the use of lock codes on all mobile devises, prohibit storage of work data on personal device that are not encrypted, have a system in place to remotely erase files on lost or stolen devices, and restrict what programs employees install on company devices.  Failure to develop sufficient safeguards could compromise a company’s data, harm its reputation, and lead to costly litigation.